From: Mike Stepanek (mstepane) Date: Wed, 9 Oct 2019 14:21:41 +0000 (-0400) Subject: Merge pull request #1788 in SNORT/snort3 from ~MSTEPANE/snort3:build_262 to master X-Git-Tag: 3.0.0-262 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d1ae4e5e40cc083cc55f3ec771ca93b367eadb7b;p=thirdparty%2Fsnort3.git Merge pull request #1788 in SNORT/snort3 from ~MSTEPANE/snort3:build_262 to master Squashed commit of the following: commit 6c381d2eb2aaf2ba82d7ad0aaab1cd4efb252bf5 Author: Mike Stepanek Date: Wed Oct 9 08:37:27 2019 -0400 build: generate and tag build 262 --- diff --git a/ChangeLog b/ChangeLog index 54f4a7e76..4784b728e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,60 @@ +19/10/09 - build 262 + +-- analyzer: move setting pkth to nullptr to after publishing finalize event +-- analyzer: publish other message event for unknown DAQ messages +-- appid: add support for bittorrent detection over standard ports +-- appid: add support for Lua detector callback mechanism +-- appid: add support for wildcard ports in host tracker +-- appid: extract forward ip from http tunneled traffic and use it for dynamic host cache lookup +-- appid: fix populating dns_query for DNS traffic +-- binder: allow binder to support global level service inspectors +-- binder: remove global check for stream inspectors and revert module_map changes +-- codecs: fix checksumming a single byte of unaligned data +-- codecs: use checksum validation from DAQ packet decode data when available +-- detection: consistently prefer service rules over port rules +-- detection: do not split service groups by ip proto to avoid extra searches +-- detection: map file rules to services +-- detection: non-service rules must match on rule header proto +-- detection: remove cruft from match accumulator +-- detection: remove more cruft from match tracker +-- detection: remove the inappropriate match tracker from mpse batch setup +-- detection: remove unnecessary match data from eval context +-- detection: support alert file rules w/o optional services +-- detection: update trace to indicate eval task +-- detection: use reference for signature eval data +-- doc: add Snort2Lua note on ips rule action rewrite +-- flow: check if control packet has a valid daq instance before setting up daq expected flow and + add pegcounts for expected flows +-- flow: patch to allocate Flow objects individually on demand. Once allocated the Flow objects are + reused until snort exits or reload changes the max_flows setting +-- flow: when walking uni_list stop before reaching head +-- helpers: discovery filter support for zone matching +-- helpers: implement port exclusion in discovery filter +-- http2_inspect: cut headers from frame_data buffer +-- http2_inspect: parse hpack header representations and decode string literals +-- http2_inspect: validate connection preface +-- ips_options: minor code style changes +-- libtcp: turn off no-ack mode if packet is out of order +-- lua: added move constructor and move assignment operator to Lua::State to fix segv +-- lua: fixed whitespace to match style guidelines +-- managers: add null check in reload_module to prevent crash when trying to reload module that has + not been configured +-- profiler: increase width of checks and alloc fields so values don't run together +-- protocols: remove reference to obsolete DAQ_PKT_FLAG_HW_TCP_CS_GOOD flag +-- pub_sub: replace DaqMetaEvent and OtherMessageEvent with DaqMessageEvent +-- reputation: prevent reload module crash when reputation is not configured in lua at startup +-- reputation: SIDs for source and destination-triggered events added +-- snort2lua: convert snort2 port bindings into snort3 service bindings for inspectors configured + in wizard and add --bind-port option to enable port bindings conversion +-- snort2lua: remove identity related options from firewall +-- snort2lua: reset the sticky buffer name while converting unchanged sticky rule options and + file_data +-- stream: clean up cppcheck warnings +-- stream: clean up update_direction +-- stream: code cleanup and dead-code removal +-- unit-tests: fix compiler warnings that snuck into CppUTest unit tests +-- utils: prevent integer overflow/underflow when reading BER elements + 19/09/12 - build 261 -- analyzer: Process retry queue and onloads when no DAQ messages are received diff --git a/doc/snort_manual.html b/doc/snort_manual.html index 4d11ba62a..c555073ef 100644 --- a/doc/snort_manual.html +++ b/doc/snort_manual.html @@ -782,7 +782,7 @@ asciidoc.install(2); 
 ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.0 (Build 261)
+o"  )~   Version 3.0.0 (Build 262)
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
@@ -7286,6 +7286,11 @@ string daq.modules[].variables[].variable: DAQ mod
 
 
  • 
 
    
+daq.expected_flows: expected flows created in DAQ (sum)
+
    
+
    • 
+
  • 
+
    
 daq.retries_queued: messages queued for retry (sum)
 
    
 
    • 
@@ -7304,6 +7309,21 @@ string daq.modules[].variables[].variable: DAQ mod
 daq.retries_discarded: messages discarded when purging the retry queue (sum)
 
    
 
+
  • 
+
    
+daq.sof_messages: start of flow messages received from DAQ (sum)
+
    
+
    • 
+
  • 
+
    
+daq.eof_messages: end of flow messages received from DAQ (sum)
+
    
+
    • 
+
  • 
+
    
+daq.other_messages: messages received from DAQ with unrecognized message type (sum)
+
    
+
    •
    @@ -8521,7 +8541,7 @@ string references[].url: where this reference is d

    • -enum rule_state.$gid_sid[].action = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit } +enum rule_state.$gid_sid[].action = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | react | reject | rewrite | inherit }

    • @@ -9843,6 +9863,11 @@ bool esp.decode_esp = false: enable for inspection of esp traff icmp4.bad_checksum: non-zero icmp checksums (sum)

      • +
    • +

      +icmp4.checksum_bypassed: checksum calculations bypassed (sum) +

      +
    @@ -9920,6 +9945,11 @@ bool esp.decode_esp = false: enable for inspection of esp traff icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum)

    +
  • +

    +icmp6.checksum_bypassed: checksum calculations bypassed (sum) +

    +
    • @@ -10056,6 +10086,11 @@ bool esp.decode_esp = false: enable for inspection of esp traff ipv4.bad_checksum: nonzero ip checksums (sum)

    +
  • +

    +ipv4.checksum_bypassed: checksum calculations bypassed (sum) +

    +
    • @@ -10448,6 +10483,11 @@ enum mpls.mpls_payload_type = ip4: set encapsulated payload typ tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum)

    +
  • +

    +tcp.checksum_bypassed: checksum calculations bypassed (sum) +

    +
    • @@ -10552,6 +10592,11 @@ bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 } udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum)

    +
  • +

    +udp.checksum_bypassed: checksum calculations bypassed (sum) +

    +
    • @@ -12519,6 +12564,11 @@ bool finalize_packet.switch_to_wizard = false: switch to wizard finalize_packet.events: total events seen (sum)

    +
  • +

    +finalize_packet.other_messages: total other message seen (sum) +

    +
    • @@ -12886,6 +12936,16 @@ int gtp_inspect.trace: mask for enabling debug traces in module 121:5 (http2_inspect) unexpected continuation frame

    +
  • +

    +121:6 (http2_inspect) misformatted HTTP/2 traffic +

    +
    • +
  • +

    +121:7 (http2_inspect) HTTP/2 connection preface does not match +

    +

    • Peg counts:

      @@ -15083,17 +15143,32 @@ string reputation.whitelist: whitelist file name with IP lists

      • -136:1 (reputation) packets blacklisted +136:1 (reputation) packets blacklisted based on source +

        +
        • +
      • +

        +136:2 (reputation) packets whitelisted based on source +

        +
        • +
      • +

        +136:3 (reputation) packets monitored based on source +

        +
        • +
      • +

        +136:4 (reputation) packets blacklisted based on destination

      • -136:2 (reputation) packets whitelisted +136:5 (reputation) packets whitelisted based on destination

      • -136:3 (reputation) packets monitored +136:6 (reputation) packets monitored based on destination

      @@ -16386,6 +16461,26 @@ int stream.trace: mask for enabling debug traces in module { 0: stream.ha_prunes: sessions pruned by high availability sync (sum)

      +
    • +

      +stream.expected_flows: total expected flows created within snort (sum) +

      +
      • +
    • +

      +stream.expected_realized: number of expected flows realized (sum) +

      +
      • +
    • +

      +stream.expected_pruned: number of expected flows pruned (sum) +

      +
      • +
    • +

      +stream.expected_overflows: number of expected cache overflows (sum) +

      +
    @@ -16738,12 +16833,12 @@ int stream_tcp.queue_limit.max_segments = 2621: don’t que

  • -int stream_tcp.small_segments.count = 0: limit number of small segments queued { 0:2048 } +int stream_tcp.small_segments.count = 0: number of consecutive TCP small segments considered to be excessive (129:12) { 0:2048 }

  • -int stream_tcp.small_segments.maximum_size = 0: limit number of small segments queued { 0:2048 } +int stream_tcp.small_segments.maximum_size = 0: minimum bytes for a TCP segment not to be considered small (129:12) { 0:2048 }

  • @@ -21377,6 +21472,11 @@ options into a Snort++ configuration file

  • +--bind-port Convert port bindings +

    +
    • +
  • +

    --conf-file Same as -c. A Snort <snort_conf> file which will be converted

    @@ -21552,6 +21652,15 @@ If the original configuration contains a binding that points to another into one output.

    • +
  • +

    +If the original configuration contains a replace rule with alert action, + Snort2Lua won’t translate the rule from alert to rewrite action. It will + keep the action as alert, which does not actually replace the content in + Snort 3. To replace content, the rule action needs to be rewrite, which + can be added manually or by tooling. +

    +
    • @@ -27779,7 +27888,7 @@ bool rt_packet.retry_targeted = false: request retry for packet

  • -enum rule_state.$gid_sid[].action = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit } +enum rule_state.$gid_sid[].action = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | react | reject | rewrite | inherit }

  • @@ -29114,12 +29223,12 @@ bool stream_tcp.show_rebuilt_packets = false: enable cmg like o

  • -int stream_tcp.small_segments.count = 0: limit number of small segments queued { 0:2048 } +int stream_tcp.small_segments.count = 0: number of consecutive TCP small segments considered to be excessive (129:12) { 0:2048 }

  • -int stream_tcp.small_segments.maximum_size = 0: limit number of small segments queued { 0:2048 } +int stream_tcp.small_segments.maximum_size = 0: minimum bytes for a TCP segment not to be considered small (129:12) { 0:2048 }

  • @@ -29459,6 +29568,16 @@ interval wscale.~range: check if TCP window scale is in given r

  • +daq.eof_messages: end of flow messages received from DAQ (sum) +

    +
    • +
  • +

    +daq.expected_flows: expected flows created in DAQ (sum) +

    +
    • +
  • +

    daq.filtered: packets filtered out (sum)

    • @@ -29489,6 +29608,11 @@ interval wscale.~range: check if TCP window scale is in given r

  • +daq.other_messages: messages received from DAQ with unrecognized message type (sum) +

    +
    • +
  • +

    daq.outstanding: packets unprocessed (sum)

    • @@ -29544,6 +29668,11 @@ interval wscale.~range: check if TCP window scale is in given r

  • +daq.sof_messages: start of flow messages received from DAQ (sum) +

    +
    • +
  • +

    daq.whitelist: total whitelist verdicts (sum)

    • @@ -30329,6 +30458,11 @@ interval wscale.~range: check if TCP window scale is in given r

  • +finalize_packet.other_messages: total other message seen (sum) +

    +
    • +
  • +

    finalize_packet.pdus: total PDUs seen (sum)

    • @@ -30624,11 +30758,21 @@ interval wscale.~range: check if TCP window scale is in given r

  • +icmp4.checksum_bypassed: checksum calculations bypassed (sum) +

    +
    • +
  • +

    icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum)

  • +icmp6.checksum_bypassed: checksum calculations bypassed (sum) +

    +
    • +
  • +

    imap.b64_attachments: total base64 attachments decoded (sum)

    • @@ -30694,6 +30838,11 @@ interval wscale.~range: check if TCP window scale is in given r

  • +ipv4.checksum_bypassed: checksum calculations bypassed (sum) +

    +
    • +
  • +

    latency.max_usecs: maximum usecs elapsed (sum)

    • @@ -31759,6 +31908,26 @@ interval wscale.~range: check if TCP window scale is in given r

  • +stream.expected_flows: total expected flows created within snort (sum) +

    +
    • +
  • +

    +stream.expected_overflows: number of expected cache overflows (sum) +

    +
    • +
  • +

    +stream.expected_pruned: number of expected flows pruned (sum) +

    +
    • +
  • +

    +stream.expected_realized: number of expected flows realized (sum) +

    +
    • +
  • +

    stream.flows: total sessions (sum)

    • @@ -32234,6 +32403,11 @@ interval wscale.~range: check if TCP window scale is in given r

  • +tcp.checksum_bypassed: checksum calculations bypassed (sum) +

    +
    • +
  • +

    tcp_connector.messages: total messages (sum)

    • @@ -32264,6 +32438,11 @@ interval wscale.~range: check if TCP window scale is in given r

  • +udp.checksum_bypassed: checksum calculations bypassed (sum) +

    +
    • +
  • +

    wizard.tcp_hits: tcp identifications (sum)

    • @@ -33984,6 +34163,16 @@ interval wscale.~range: check if TCP window scale is in given r

  • +121:6 (http2_inspect) misformatted HTTP/2 traffic +

    +
    • +
  • +

    +121:7 (http2_inspect) HTTP/2 connection preface does not match +

    +
    • +
  • +

    122:1 (port_scan) TCP portscan

    • @@ -34764,17 +34953,32 @@ interval wscale.~range: check if TCP window scale is in given r

  • -136:1 (reputation) packets blacklisted +136:1 (reputation) packets blacklisted based on source +

    +
    • +
  • +

    +136:2 (reputation) packets whitelisted based on source +

    +
    • +
  • +

    +136:3 (reputation) packets monitored based on source +

    +
    • +
  • +

    +136:4 (reputation) packets blacklisted based on destination

  • -136:2 (reputation) packets whitelisted +136:5 (reputation) packets whitelisted based on destination

  • -136:3 (reputation) packets monitored +136:6 (reputation) packets monitored based on destination

  • @@ -38093,7 +38297,7 @@ Adding/removing stream_* inspectors if stream was already configured diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf index 3ce6f6204..69aff9552 100644 Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ diff --git a/doc/snort_manual.text b/doc/snort_manual.text index 402d9d5d1..eafbd640e 100644 --- a/doc/snort_manual.text +++ b/doc/snort_manual.text @@ -393,7 +393,7 @@ Table of Contents Snorty ,,_ -*> Snort++ <*- -o" )~ Version 3.0.0 (Build 261) +o" )~ Version 3.0.0 (Build 262) '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved. @@ -5496,6 +5496,7 @@ Peg counts: * daq.idle: attempts to acquire from DAQ without available packets (sum) * daq.rx_bytes: total bytes received (sum) + * daq.expected_flows: expected flows created in DAQ (sum) * daq.retries_queued: messages queued for retry (sum) * daq.retries_dropped: messages dropped when overrunning the retry queue (sum) @@ -5503,6 +5504,10 @@ Peg counts: (sum) * daq.retries_discarded: messages discarded when purging the retry queue (sum) + * daq.sof_messages: start of flow messages received from DAQ (sum) + * daq.eof_messages: end of flow messages received from DAQ (sum) + * daq.other_messages: messages received from DAQ with unrecognized + message type (sum) 6.6. decode @@ -6159,7 +6164,7 @@ Configuration: * enum rule_state.$gid_sid[].action = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | - drop | block | reset | inherit } + drop | block | reset | react | reject | rewrite | inherit } * enum rule_state.$gid_sid[].enable = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit } @@ -6767,6 +6772,7 @@ Rules: Peg counts: * icmp4.bad_checksum: non-zero icmp checksums (sum) + * icmp4.checksum_bypassed: checksum calculations bypassed (sum) 7.13. icmp6 @@ -6805,6 +6811,7 @@ Rules: Peg counts: * icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum) + * icmp6.checksum_bypassed: checksum calculations bypassed (sum) 7.14. igmp @@ -6860,6 +6867,7 @@ Rules: Peg counts: * ipv4.bad_checksum: nonzero ip checksums (sum) + * ipv4.checksum_bypassed: checksum calculations bypassed (sum) 7.16. ipv6 @@ -7046,6 +7054,7 @@ Peg counts: * tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum) * tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum) + * tcp.checksum_bypassed: checksum calculations bypassed (sum) 7.23. token_ring @@ -7097,6 +7106,7 @@ Peg counts: * udp.bad_udp4_checksum: nonzero udp over ipv4 checksums (sum) * udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum) + * udp.checksum_bypassed: checksum calculations bypassed (sum) 7.25. vlan @@ -7994,6 +8004,7 @@ Peg counts: * finalize_packet.pdus: total PDUs seen (sum) * finalize_packet.events: total events seen (sum) + * finalize_packet.other_messages: total other message seen (sum) 9.18. ftp_client @@ -8171,6 +8182,8 @@ Rules: * 121:3 (http2_inspect) error in HPACK string value * 121:4 (http2_inspect) missing continuation frame * 121:5 (http2_inspect) unexpected continuation frame + * 121:6 (http2_inspect) misformatted HTTP/2 traffic + * 121:7 (http2_inspect) HTTP/2 connection preface does not match Peg counts: @@ -8955,9 +8968,12 @@ Configuration: Rules: - * 136:1 (reputation) packets blacklisted - * 136:2 (reputation) packets whitelisted - * 136:3 (reputation) packets monitored + * 136:1 (reputation) packets blacklisted based on source + * 136:2 (reputation) packets whitelisted based on source + * 136:3 (reputation) packets monitored based on source + * 136:4 (reputation) packets blacklisted based on destination + * 136:5 (reputation) packets whitelisted based on destination + * 136:6 (reputation) packets monitored based on destination Peg counts: @@ -9452,6 +9468,12 @@ Peg counts: pruning (sum) * stream.memcap_prunes: sessions pruned due to memcap (sum) * stream.ha_prunes: sessions pruned by high availability sync (sum) + * stream.expected_flows: total expected flows created within snort + (sum) + * stream.expected_realized: number of expected flows realized (sum) + * stream.expected_pruned: number of expected flows pruned (sum) + * stream.expected_overflows: number of expected cache overflows + (sum) 9.43. stream_file @@ -9603,10 +9625,10 @@ Configuration: than given bytes per session and direction { 0:max32 } * int stream_tcp.queue_limit.max_segments = 2621: don’t queue more than given segments per session and direction { 0:max32 } - * int stream_tcp.small_segments.count = 0: limit number of small - segments queued { 0:2048 } - * int stream_tcp.small_segments.maximum_size = 0: limit number of - small segments queued { 0:2048 } + * int stream_tcp.small_segments.count = 0: number of consecutive + TCP small segments considered to be excessive (129:12) { 0:2048 } + * int stream_tcp.small_segments.maximum_size = 0: minimum bytes for + a TCP segment not to be considered small (129:12) { 0:2048 } * int stream_tcp.session_timeout = 30: session tracking timeout { 1:max31 } * bool stream_tcp.track_only = false: disable reassembly if true @@ -12829,6 +12851,7 @@ Converts the Snort configuration file specified by the -c or provided * -V Print the current Snort2Lua version * --bind-wizard Add default wizard to bindings + * --bind-port Convert port bindings * --conf-file Same as -c. A Snort file which will be converted * --dont-parse-includes Same as -p. if file contains @@ -12900,6 +12923,12 @@ Converts the Snort configuration file specified by the -c or will output the number of rejects for the binding file in addition to the number of rejects in the main file. The two numbers will eventually be combined into one output. + * If the original configuration contains a replace rule with alert + action, Snort2Lua won’t translate the rule from alert to rewrite + action. It will keep the action as alert, which does not actually + replace the content in Snort 3. To replace content, the rule + action needs to be rewrite, which can be added manually or by + tooling. 17.3. Usage @@ -15471,7 +15500,7 @@ these libraries see the Getting Started section of the manual. whose data starts with A * enum rule_state.$gid_sid[].action = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | - drop | block | reset | inherit } + drop | block | reset | react | reject | rewrite | inherit } * enum rule_state.$gid_sid[].enable = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit } @@ -15937,10 +15966,10 @@ these libraries see the Getting Started section of the manual. 1:max31 } * bool stream_tcp.show_rebuilt_packets = false: enable cmg like output of reassembled packets - * int stream_tcp.small_segments.count = 0: limit number of small - segments queued { 0:2048 } - * int stream_tcp.small_segments.maximum_size = 0: limit number of - small segments queued { 0:2048 } + * int stream_tcp.small_segments.count = 0: number of consecutive + TCP small segments considered to be excessive (129:12) { 0:2048 } + * int stream_tcp.small_segments.maximum_size = 0: minimum bytes for + a TCP segment not to be considered small (129:12) { 0:2048 } * bool stream_tcp.track_only = false: disable reassembly if true * int stream.trace: mask for enabling debug traces in module { 0:max53 } @@ -16044,6 +16073,8 @@ these libraries see the Getting Started section of the manual. * daq.blacklist: total blacklist verdicts (sum) * daq.block: total block verdicts (sum) * daq.dropped: packets dropped (sum) + * daq.eof_messages: end of flow messages received from DAQ (sum) + * daq.expected_flows: expected flows created in DAQ (sum) * daq.filtered: packets filtered out (sum) * daq.idle: attempts to acquire from DAQ without available packets (sum) @@ -16053,6 +16084,8 @@ these libraries see the Getting Started section of the manual. lack of DAQ support (sum) * daq.internal_whitelist: packets whitelisted internally due to lack of DAQ support (sum) + * daq.other_messages: messages received from DAQ with unrecognized + message type (sum) * daq.outstanding: packets unprocessed (sum) * daq.pcaps: total files and interfaces processed (max) * daq.received: total packets received from DAQ (sum) @@ -16067,6 +16100,7 @@ these libraries see the Getting Started section of the manual. * daq.retry: total retry verdicts (sum) * daq.rx_bytes: total bytes received (sum) * daq.skipped: packets skipped at startup (sum) + * daq.sof_messages: start of flow messages received from DAQ (sum) * daq.whitelist: total whitelist verdicts (sum) * data_log.packets: total packets (sum) * dce_http_proxy.http_proxy_session_failures: failed http proxy @@ -16296,6 +16330,7 @@ these libraries see the Getting Started section of the manual. * file_id.total_files: number of files processed (sum) * file_log.total_events: total file events (sum) * finalize_packet.events: total events seen (sum) + * finalize_packet.other_messages: total other message seen (sum) * finalize_packet.pdus: total PDUs seen (sum) * ftp_data.packets: total packets (sum) * ftp_server.concurrent_sessions: total concurrent FTP sessions @@ -16385,7 +16420,9 @@ these libraries see the Getting Started section of the manual. (sum) * http_inspect.uri_path: URIs with path problems (sum) * icmp4.bad_checksum: non-zero icmp checksums (sum) + * icmp4.checksum_bypassed: checksum calculations bypassed (sum) * icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum) + * icmp6.checksum_bypassed: checksum calculations bypassed (sum) * imap.b64_attachments: total base64 attachments decoded (sum) * imap.b64_decoded_bytes: total base64 decoded bytes (sum) * imap.concurrent_sessions: total concurrent imap sessions (now) @@ -16402,6 +16439,7 @@ these libraries see the Getting Started section of the manual. * imap.uu_attachments: total uu attachments decoded (sum) * imap.uu_decoded_bytes: total uu decoded bytes (sum) * ipv4.bad_checksum: nonzero ip checksums (sum) + * ipv4.checksum_bypassed: checksum calculations bypassed (sum) * latency.max_usecs: maximum usecs elapsed (sum) * latency.packet_timeouts: packets that timed out (sum) * latency.rule_eval_timeouts: rule evals that timed out (sum) @@ -16663,6 +16701,12 @@ these libraries see the Getting Started section of the manual. * ssl.sessions_ignored: total sessions ignore (sum) * ssl.unrecognized_records: total unrecognized records (sum) * stream.excess_prunes: sessions pruned due to excess (sum) + * stream.expected_flows: total expected flows created within snort + (sum) + * stream.expected_overflows: number of expected cache overflows + (sum) + * stream.expected_pruned: number of expected flows pruned (sum) + * stream.expected_realized: number of expected flows realized (sum) * stream.flows: total sessions (sum) * stream.ha_prunes: sessions pruned by high availability sync (sum) * stream_icmp.created: icmp session trackers created (sum) @@ -16778,6 +16822,7 @@ these libraries see the Getting Started section of the manual. * stream.uni_prunes: uni sessions pruned (sum) * tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum) * tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum) + * tcp.checksum_bypassed: checksum calculations bypassed (sum) * tcp_connector.messages: total messages (sum) * telnet.concurrent_sessions: total concurrent Telnet sessions (now) @@ -16786,6 +16831,7 @@ these libraries see the Getting Started section of the manual. * telnet.total_packets: total packets (sum) * udp.bad_udp4_checksum: nonzero udp over ipv4 checksums (sum) * udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum) + * udp.checksum_bypassed: checksum calculations bypassed (sum) * wizard.tcp_hits: tcp identifications (sum) * wizard.tcp_scans: tcp payload scans (sum) * wizard.udp_hits: udp identifications (sum) @@ -17187,6 +17233,8 @@ these libraries see the Getting Started section of the manual. * 121:3 (http2_inspect) error in HPACK string value * 121:4 (http2_inspect) missing continuation frame * 121:5 (http2_inspect) unexpected continuation frame + * 121:6 (http2_inspect) misformatted HTTP/2 traffic + * 121:7 (http2_inspect) HTTP/2 connection preface does not match * 122:1 (port_scan) TCP portscan * 122:2 (port_scan) TCP decoy portscan * 122:3 (port_scan) TCP portsweep @@ -17388,9 +17436,12 @@ these libraries see the Getting Started section of the manual. * 135:1 (stream) TCP SYN received * 135:2 (stream) TCP session established * 135:3 (stream) TCP session cleared - * 136:1 (reputation) packets blacklisted - * 136:2 (reputation) packets whitelisted - * 136:3 (reputation) packets monitored + * 136:1 (reputation) packets blacklisted based on source + * 136:2 (reputation) packets whitelisted based on source + * 136:3 (reputation) packets monitored based on source + * 136:4 (reputation) packets blacklisted based on destination + * 136:5 (reputation) packets whitelisted based on destination + * 136:6 (reputation) packets monitored based on destination * 137:1 (ssl) invalid client HELLO after server HELLO detected * 137:2 (ssl) invalid server HELLO without client HELLO detected * 137:3 (ssl) heartbeat read overrun attempt detected diff --git a/src/main/build.h b/src/main/build.h index 4acc8b930..e2b7f88b6 100644 --- a/src/main/build.h +++ b/src/main/build.h @@ -12,7 +12,7 @@ // // //-----------------------------------------------// -#define BUILD_NUMBER 261 +#define BUILD_NUMBER 262 #ifndef EXTRABUILD #define BUILD STRINGIFY_MX(BUILD_NUMBER)